presented at the
USACM Workshop on Voter-Verifiable Election Systems
Denver
July 28, 2003

Introduction

On July 24, 2003, Tadayoshi Kohno, Adam Stubblefield, Aviel D. Rubin
and Dan S. Wallach released a report on their analysis of the security
of the Diebold AccuVote direct recording electronic voting system
[1];
This story was covered on the same day by the New York Times
[2].

In response, I immediately called for the decertification of the
Diebold AccuVote direct recording electronic voting system. The long
version of the story leading up to my call for decertification is available
on-line and will be updated as this story develops.
[3].
What I present here is a short summary of this story.

Background

In 1996, I-Mark Systems submitted its
Electronic Ballot Station, Model 100,
to Wyle Laboratories of Huntsville Alabama for testing against the Federal
Election Commission's 1990 Voting System Standards
[4].
The Wyle Labs report on this system described it as the best voting system
software they had ever examined; the embedded software for this system was
written in C++ and ran under Windows 95, using a clever seeming smartcard-based
system for voter authentication
[5].

In mid 1997, Global Election Systems acquired I-Mark Systems; Global had
acquired the AccuVote optical mark-sense system from Unisys in 1991,
and one of their first steps after acquiring the
Electronic Ballot Station was to rename it the
Global AccoTouch EBS voting system. Global submitted
this system to the Iowa Board of Examiners for Voting Machines and
Electronic Voting Systems on Nov. 6, 1997; this is when I first saw it.

All voting equipment submitted for examination in Iowa must be submitted
with the Independent Testing Authority reports certifying its conformance
with the (otherwise voluntary) Federal Voting System Standards. This is how
I came to review the Wyle report
[5].

In my review of the Wyle report, I noted that while it praised the security
of the I-Mark software and noted that it used the Federally approved
Data Encryption Standard, there was no hint in the Wyle report that the
software they had examined contained any provisions for key management.
I asked about this at the Nov. 6, 1997 meeting, and my worst fears were
confirmed. None of the Global representatives at the meeting nor the
programmer they connected me to by cellphone understood the phrase
key management, and it appeared that the security keys for the
encryption used by the I-mark software were hard-coded into the voting
application.

I scolded the Global representatives for this, telling them that their
system might be OK as a prototype, but that they must adopt proper key
management techniques before their system entered widespread use. I told
them that, as things stood, their system relied on security through obscurity,
so they must take measures to assure that their code remains obscure and
that no copy of their code ever leaks out into public. I told them that
the moment one of their machines goes to the landfill or is otherwise
disposed of, someone might extract their encryption key and all of their
security claims would become meaningless.

In May 2001, I appeared before the House Science Committee to testify about
problems with the Federal Election Commission Voting System Standards, and
I used this example as one illustration. A competent evaluation of the I-Mark
source code against even the marginal 1990 FEC standards should not have
ignored a security problem of this magnitude
[6].

The Diebold and Global FTP Sites

In 2001, Diebold purchased Global Election Systems. By this time,
Global was selling the descendant of the
I-Mark Electronic Ballot Station
as the AccuVote TS (touch screen) voting terminal.

In January, 2003, unnamed whistle-blowers exploring the web using Google
discovered that Diebold Election Systems was maintaining a public FTP
(file-transfer protocol) site on the Internet from which copies of
various Diebold voting software could be downloaded. On Feb. 4, 2003,
employees of Diebold admitted to Bev Harris that they had
used this site to exchange and update unspecified Diebold voting system
software. It turned out that this FTP site was not new, it had existed
under Global.
[7].

Had the exchange of material on this FTP site been properly encrypted, it would
not have threatened Diebold's security through obscurity. Had Diebold
taken my advice in 1997, release of their software would not have threatened
the security of their system.
By this time, the Diebold AccuVote TS system had become one of the 4 leading
direct recording electronic voting systems in use in the United States.

Time to Face the Consequences!

With the release the paper by Kohno, Stubblefield, Rubin and Wallach
on July 24, 2003
[1],
three things became immediately clear:
First, they found two unencrypted copies copies of the C++ source code for
the AccuVote TS system on the Diebold web site, one dating from
around 2000, and one dating from late 2002. The presence of these in
plaintext form, from two different years and placed there under two different
corporate owners makes it clear that neither Global nor Diebold were
successfully using security through obscurity. Furthermore, even the encrypted
material on the Diebold FTP site was not well protected;
rudimentary password protection of zip archives is not the kind of
protection you would expect from anyone serious about security.

Second, neither Global nor Diebold had made any effort to correct the problem
I had attempted to explain to them in 1997 and that I had explained to the
House Science Committee in early 2001. The encryption key F2654hD4
is present, in plain view, in the source code, confirming both my inference
from 1997 and my worst fears about this code. To allow a security flaw of this
magnitude to remain uncorrected after being informed of its existence and
after the flaw has been described in public exhibits a serious disregard for
security!

Third, the Diebold AccuVote direct recording electronic voting system relied
on security through obscurity far more pervasively than I had imagined when
I read the Wyle Report
[5]
in 1997. Their use of smartcards, it turns out, was not at all clever, but
was just as bad as their use of the Federal Data Encryption Standard, ignoring
almost everything known about security and key management, and open to
attack by outsiders with no access to the source code because keys were
transmitted to the card in plaintext form.

Therefore, as soon as I heard about the New York Times news story on
the afternoon of July 23, 2003
[2], I issued an immediate call for the decertification
of the Diebold AccuVote TS system. As it turned out,
this had no impact in Iowa (none were in use), but this is important
in many other jurisdictions.

I want to emphasize that my recommendation for the immediate decertification
of the Diebold touch screen system does not apply to the AccuVote
optical mark-sense system. This system may well incorporate many of the same
security flaws as their touch-screen system, but because it uses
voter-verified paper ballots, and because the normal procedure is to
print a paper copy of the vote totals before making a modem connection
from the machine to any remote system, these security flaws are far less
significant. Until such time as Diebold corrects these flaws,
however, I would recommend against use of the post-election electronic
transmission features of these machines, and I would recommend that
security for pre-election programming rely entirely on locked doors and
a carefully recorded chain of custody.

Finally, I want to emphasize that this story represents more than just a
black eye for Diebold. It represents a black eye for the entire
system of Voting System Standards promulgated by the
Federal Election Commission and the National Association of State Election
Directors. Not only did the I-Mark/Global/Diebold touch screen system
pass all of the tests imposed by this standards process, but it passed them
many times, and the source code auditors even gave it exceptionally high marks.
Given this, should we trust the security of any of the other direct
recording electronic voting systems on the market?

[5]Qualification Testing of the I-Mark Electronic Ballot Station,
Report No 45450-01,
Wyle Laboratories, Huntsville Alabama, Sept. 10, 1996.
This report is confidential! The only content of this report disclosed
here is material that was discussed in open meetings of the Iowa Board of
Examiners for Voting Machines and Electronic Voting Systems.